Tuesday, 6 January 2015

2015 & UK websites still fail miserably to protect Customer Data

The New Year was ushered in with news that both Moonpig.com and the UK Police National Property Register websites, had vulnerabilities that placed millions of UK citizen’s personal information at risk of data theft.

Moonpig had 3 million customer records exposed by a basic web application vulnerability. By changing the customer ID number on an unauthenticated API request (the website's Application Programmable Interface). An attacker could return different website users personal data, which included their name, address, birth date and email address. By writing a simple script an attacker could (might) have taken a copy of millions of customer records. Worst still this serious vulnerability was reported to Moonpig some 18 months ago.

It only takes a few minutes on the Moonpig website to see they are a million miles away from adhering to industry best practice web (application) site security, as advocated by the likes of OWASP. It appears that the Moonpig website has never been properly Penetration Tested; if it has, then either the pen testers have done a terrible job, or the Moonpig staff have completely ignored fixing vulnerabilities discovered by the test.

The first thing I noticed when I set up a Moonpig account a couple of years back, is that I was provided with a default 8 digit password. That’s digits as in just numbers, even primary school children know only using numbers is a terrible idea when setting a password, trust me as I have educated quite a few school kids on password security in my time. Poor default passwords are a tell-tale sign of overall poor website security.

Moonpig.com has still not been Secured
The next thing I observed (which is still present as I write this), is the website does not timeout user sessions in an adequate timescale. When you close down the Moonpig.com website on your web browser, you may believe you have logged out of the website, but give it 20 minutes or so, open Moonpig.com on your web browser, then you, or if using a shared computer possibly someone else, still has a user logged in access to the Moonpig website (authenticated).  It is 101 web application security to set a website session idle timeout, depending on risk, to between 5 and 15 minutes. This logs an authenticated website user out of the website when a user is not actively using it. User session timeouts times play an important role in protecting user account against session hijacking and man-in-the-middle attacks, and is important enough vulnerability to be listed 3rd on the OWASP Top Ten.

If you have an account with Moonpig, you are probably thinking it would be wise to delete your account to ensure your personal information is kept safe. The problem is that you can’t delete your account via the Moonpig website, the best you can do is to remove all names and addresses of your loved ones and friends from your Moonpig address book. If you want your Moonpig account removed, which you fully entitled over UK law, I suggest you phone Moonpig on 0345 4500 100.

I expect the Information Commissioners Office (ICO), an independent body responsible for protecting UK citizen personal data, will take a dim view of the Moonpig's website, and take enforcement action against the business for the apparent flagrant disregard in protecting their customer's personal information.

Immobilise WebApp flaw was both Serious and Embarrassing
The serious vulnerability in the UK Police National Property Register website, Immobilise, is highly embarrassing to say the least. The Immobilise website allows members of the British public to list valuables kept within their homes. A similar web application vulnerability to that of the Moonpig website was found, by changing the ID number in the website URL, an attacker could gain access to different people’s records. This is possible due to a lack of a user authentication check by the website code. The Immobilise website data includes a name and address along with a list of valuables with an estimated value of each item, this just happens to be the perfect information for any would be burglar, hence the high embarrassment. Over 4 million records were placed at risk by this basic web application coding vulnerability.  Recipero, the provider of the Immobilise website, acted quickly to resolve the vulnerability, however the presence of this kind of vulnerability suggests the website was not properly penetration tested, or it was and either a poor testing job was done, or the vulnerability was previously detected but not fixed. 

The Moral of these Website Vulnerabilities
The moral of both these news stories, if your business has a website which holds personal or confidential information, ensure you have the website penetration tested by a reputable penetration testing company before the website goes live on the Internet. Then ensure the website is penetration tested on an at least annual basis there after, and after any significant change made to the website code. It should go without saying that any vulnerabilities found by pen testing are resolved. A quality penetration tester will be happy to explain the vulnerabilities found, and to advise developers on how to fix them. Make sure any Critical, High and Medium level vulnerabilities detected are not only resolved, but are re-tested before going live with the website.

I also recommend to perform an automated vulnerability scan of all websites. Subject to the risk, conduct automated vulnerability scans either daily, weekly or at the very most monthly, quarterly is not frequent enough in my view. The likes of Outpost24 Outscan provide quality external automated website vulnerability scans, which detects many web application vulnerabilities, helping keeping a step ahead of the bad guys that seek to exploit website vulnerabilities for personal gain.

No comments: